While some vulnerabilities are inherent to software and services and intrinsic aspects of a digital environment, others are tied to how a specific product, software, or service is configured. This chapter covers the topic of secure configurations and discusses various aspects such as regulatory frameworks, common misconfigurations, and industry secure configuration guidance.

Regulations, Frameworks, and Laws

Regulatory frameworks and laws play a significant role in advocating for the industry adoption of best practices and secure configurations. For example, the Center for Internet Security (CIS) Benchmarks align closely and map to frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA).

In the defense space, there are requirements for utilizing the Department of Defense's (DoD) Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) where possible, and to utilize vendor- and industry secure configuration guidance in the absence of STIG availability. The reason is that most products and software don't come to customers and consumers in a “hardened” state. This is due to the inherent give and take between concepts such as usability and security. Suppliers are often trying to make products as feature-rich, capable, and easy to use as possible, ...